Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!aplcen!ginosko!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Notes on the SWAP virus (PC)
Message-ID: <0001.8909151206.AA24769@ge.sei.cmu.edu>
Date: 14 Sep 89 17:49:48 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 31
Approved: krvw@sei.cmu.edu

The SWAP virus that was recently discovered in Israel is somewhat
different from other PC boot sector viruses. Normally a BSV replaces
the boot sector with virus code, and stores the original boot sector
somewhere. In some cases the boot sector is stored in unused space,
which is then marked as bad in the FAT (Ping-Pong, Typo, Brain). In
other cases the virus stores the boot sector in a sector that is not
likely to be used (Yale, Den Zuk, Stoned). One virus (Pentagon) even
stores the boot sector in a hidden file.

When the computer is booted from an infected disk, the code on the
boot sector will read the rest of the virus into memory. The virus
will then install itself, read the original boot sector and transfer
control to it.

SWAP is different - it does not store the original boot sector at all.
Instead it assumes that bytes 196-1B4 (hex) on the boot sector contain
messages that can be safely overwritten. This is true for most (but
not all) boot sectors. It also assumes that the boot sector starts
with a JMP instruction.

The virus then replaces these bytes with code to read the rest of the
virus (which is stored at track 39, sectors 6 and 7) into memory. The
virus will then execute the original boot code.

The fact that this virus does not store the original boot sector makes
it hard (and in some cases impossible) to repair an infected diskette.

         Fridrik Skulason          University of Iceland
         frisk@rhi.hi.is

         Guvf yvar vagragvbanyyl yrsg oynax .................